Formal Analysis of Imperfect Cryptographic Protocols Long Nguyen - - PowerPoint PPT Presentation

formal analysis of imperfect cryptographic protocols
SMART_READER_LITE
LIVE PREVIEW

Formal Analysis of Imperfect Cryptographic Protocols Long Nguyen - - PowerPoint PPT Presentation

Jul 29, 2023 436 likes •634 views

Formal Analysis of Imperfect Cryptographic Protocols Long Nguyen Hoang University of Tartu, Institute of Computer Science Agenda Introduction Probabilistic-spi calculus Security protocol verification Conclusion Q&A

slide-1
SLIDE 1

Formal Analysis of Imperfect Cryptographic Protocols

Long Nguyen Hoang

University of Tartu, Institute of Computer Science

slide-2
SLIDE 2

Agenda

  • Introduction
  • Probabilistic-spi calculus
  • Security protocol verification
  • Conclusion
  • Q&A
slide-3
SLIDE 3

Protocol Analysis Techniques

  • Two view of cryptographic analyzing

– Formal model – Computational model

Crypto Protocol Analysis Formal Model Computational Model

Protocol Logics Model Checking

Dolev-Yao (perfect cryptography) Random oracle Probabilistic process calculi Probabilistic I/O automata

Process Calculi

Applied Π-calculus BAN, PCL Murphi, AVISPA

slide-4
SLIDE 4

The Best of Both World, can we?

Formal Model Computational Model Attacker actions

  • Fixed set of actions, e.g.,

decryption with known key (ABSTRACTION) + Any probabilistic poly- time computation Security properties

  • Idealized, e.g., secret

+ Fine-grained, e.g., secret Security properties

  • Idealized, e.g., secret

message = not possessing atomic term representing message (ABSTRACTION) + Fine-grained, e.g., secret message = no partial information about bitstring representation Analysis methods + Successful array of tools and techniques; automation

  • Hand-proofs are difficult,

error-prone; no automation

slide-5
SLIDE 5

Our Approaches

  • A “hybrid” model

– Semantics for imperfect cryptography – Probabilistic-spi calculus – Intruder model – Intruder model

  • Related works

– Probabilistic Polynomial-time equivalence [Mitchell-Scedrov] – Reconciling Two Views of Cryptography [Abadi-Rogaway] – Soundness and completeness of formal encryption [Adao-Bana- Scedrov] – …

slide-6
SLIDE 6

Semantics for imperfect cryptography

  • pPat grammar

P.p, Q. p ::= probabilistic patterns K.p key (for K ∈ Keys)

  • m. p

string (for m ∈ String) (P. p, Q. p). p pair p ∈ [0, 1]

  • Probability of obtaining m from {m}K without knowing K

∀A, Pr[m A({m}K, G)] ≤ pdec({m}K, G)

slide-7
SLIDE 7

Evaluate the Probability

slide-8
SLIDE 8

Example

  • Consider M = (({{(m,K)}K1}K2 , {(K1,K2)}K),K’)
slide-9
SLIDE 9

Example (3)

  • Consider M = (({{(m,K)}K1}K2 , {(K1,K2)}K),K’)
slide-10
SLIDE 10

Example (4)

slide-11
SLIDE 11

Security Notion

  • Indistinguishability

M N pPM ~ pPN /\ | pMaxM – pMaxN|

slide-12
SLIDE 12

Security Notion (2)

  • Perfect encryption vs Ideal ecryption

M ≅ N ⇔ M 0 N M ≅ N M N ∀ ∈ [0,1]

  • M ≅ N M N ∀ > 1/q(η)
slide-13
SLIDE 13

Probabilistic-spi Calculus

  • Work with “imperfect” cryptography
  • Extended from spi-calculus

– Probability to attack encrypted terms without knowing corresponding key knowing corresponding key – Allow statistics analysis, guessing, etc

slide-14
SLIDE 14

Probabilistic-spi Grammar

  • Set of terms

L;M;N ::= terms N name (M;N) pair

  • Set of processes

P,Q,R ::= processes MN.P output M(x).P input P | Q composition (M;N) pair 0 zero suc(M) successor x variable

{m}K.p

P | Q composition (νn)P restriction !P replication [M is N] P match 0 nil let (x, y) =M in P pair splitting case M of 0 : P suc(x) : Q integer case

slide-15
SLIDE 15

Result

  • When the probability of the intruder is zero (i.e. ideal

cryptography), probabilistic-spi calculus is restricted to spi-calculus.

  • Unsafe in probabilistic-spi calculus implies unsafe in

computational model computational model

  • Safe in probabilistic-spi calculus implies safe in

computational model

slide-16
SLIDE 16

Security Protocol Verification

  • Probabilistic computational tree
slide-17
SLIDE 17

Security Protocol Verification (2)

  • Given protocol P with set of states S, set of transition rules R

and set of rules AR for identifying an attack state qModelCheck(P) Input: Protocol P = (S,R,AR) and probability p Output: 1 if the protocol is secure, 0 otherwise Output: 1 if the protocol is secure, 0 otherwise

  • 1. If (ispAttackAR(S) /\ pAttackAR(S) p) then Return 0;
  • 2. Compute set pApplicablelhs(S) for each r ∈ R with r = lhs rhs;
  • 3. Compute pSuccR(S);
  • 4. For each S’ ∈ pSuccR(S);

5. B=qModelCheck(S’,R,AR); 6. If(B==0) then Return 0;

  • 7. Return 1
slide-18
SLIDE 18

Conclusion

  • Advantage

– Simple model – Inherit from spi-calculus. Can apply automatic verification tools – Extending Dolev-Yao model. Can relate protocol – Extending Dolev-Yao model. Can relate protocol in formal view to computational view

  • Drawback

– Need further consideration to be sure of compatibility with automatic verification tools – Restricted to spi-calculus.

  • Work with other model checking methods (e.g. lazy

intruder model) ?

slide-19
SLIDE 19

Thank you!

Q &A